Is egge21m/cocod safe?

https://github.com/openclaw/skills/tree/main/skills/egge21m/cocod

85
SAFE

The cocod skill is a documentation-only Cashu ecash wallet CLI wrapper with no executable code, no malicious prompt injection, and clean installation behavior. Its primary risk is structural rather than malicious: the HTTP 402/X-Cashu auto-payment trigger allows any server the agent contacts to redirect wallet funds, and the wallet's mnemonic material becomes a high-value target if combined with other compromised skills. The skill's own safety instructions are genuinely protective, making it appropriate for installation with awareness of the financial loss surface.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 74/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM HTTP 402 / X-Cashu flow enables attacker-controlled payment drain -18

The skill instructs the agent to parse and settle HTTP 402 responses containing an X-Cashu header from any server. A malicious API endpoint (or a MITM attacker) can inject a 402 response into any outbound HTTP request the agent makes, directing a payment to an attacker-controlled Cashu mint. The skill's 'ask permission first' rule partially mitigates this, but autonomous or pre-authorized agents would be vulnerable.

MEDIUM 402 auto-trigger creates passive prompt-injection surface via server responses -18

Any HTTP server the agent contacts can issue a 402+X-Cashu response to redirect agent behavior toward a payment flow. While the skill requires user confirmation before spending, the mere act of parsing the malicious header and presenting it to the user is a form of server-controlled agent behavior modification.

LOW Wallet mnemonic in ~/.cocod is a high-value target for adjacent skills -20

If another malicious skill is installed alongside this one, it could read ~/.cocod/mnemonic material and exfiltrate it. The cocod skill itself instructs the agent never to expose these contents, but it cannot enforce this constraint on other skills in the same agent context.

LOW Financial transaction data flows to external servers by design -8

Cashu tokens and Lightning invoices are sent to and received from external mint servers and Lightning nodes. This is declared functionality but means that user financial activity is visible to those external servers. Mint operators can link transactions if mint-URL isolation is not used.

INFO Canary file accesses predate skill install — monitoring framework artifact 0

inotifywait and auditd logs record accesses to .env, .ssh/id_rsa, .aws/credentials, and other credential files at 12:37:33, approximately 5 seconds before the git clone began at 12:37:38. These accesses are consistent with the monitoring framework creating or recording baseline hashes for its honeypot files and are not attributable to the skill.

INFO Skill is documentation-only with no executable artifacts 0

The skill repository contains only SKILL.md and _meta.json. No code, no package.json, no install hooks, no git hooks, no submodules, no symlinks.